Featured Domains

GDPR will make domain name transfers more difficult

Lack of contact details in public Whois could thwart inter-registrar domain transfers.

A few Domain Name Wire readers have asked how domain name transfers will work if domain registrars and registries eliminate contact details from Whois in response to the EU’s General Data Protection Regulation (GDPR).

As it stands right now, domain name transfers could be a big problem.

The TechOps subcommittee of the Contracted Party House inside GNSO explained the difficulties — and possible solutions — to ICANN in a letter last month. The letter succinctly explains the problem:

Without question, domain name transfers will be significantly affected by GDPR, especially in light of ICANN’s recently proposed Interim Model for GDPR Compliance (Interim Model). The current ICANN transfer policy requires the gaining registrar to send a standardised form of authorisation (FOA) to the registrant or admin email address – that party is then required to take affirmative action and the involved registrars maintain a record of response. However, because the gaining registrar does not have the record of current registrant information at the time of transfer, it will typically pull it from the public WHOIS output (at the time of the transfer request, and prior to initiating a transfer request at the registry). The Interim Model does not make available the registrant’s email address through public WHOIS – leaving the gaining registrar unable to send the FOA through the usual means…

No public Whois, no easy way to get the current registrant’s information.

It’s worth noting that thick registries–those in which the registry maintains the contact details–could still grant access to registrars to get contact data. That assumes that the thick registries still maintain this data after GDPR, though.

The challenge would be biggest with thin registries–those in which only the registrar maintains the contact details. These include .com and .net.

One solution is for registrars to maintain whitelisted IP addresses for other registrars that will give them access to Whois records. But the letter points out that could take time to implement. GDPR kicks in May 25.

The subcommittee suggested a workaround until a long term fix can be instituted.

A short-term solution might seem like a blast from the past. The new registrar would initiate a transfer based on receiving the EPP/auth code from the registrant. The old registrar would then send an email to the registrant. If they don’t approve the transfer, the losing registrar could deny the transfer. (Currently, no response after five days is assumed as approval.)

The group also said that ICANN would need to revoke the change of registrant procedure for now. Registrars would verify the registrant for each completed inbound transfer.

Right now ICANN is pushing European data authorities to delay action as it relates to Whois. But registrars might not act universally. Denying access to Whois contact details would be a convenient way for a registrar to slow down outbound transfers.

Comments

As the letter said, contracted parties suggested removing the gaining registrar form of authorization exactly to address GDPR issues. So the attempt is to keep transfers working, not to detain them, which would be clearly anti-competitive.

I’m still at a huge loss as to why the world is changing whois based on some European law. Couldn’t registries based anywhere else get around the law since…well they aren’t in their jurisdiction? Just put in the TOS that people from countries with this law must use whois privacy or don’t allow these people to be customers at all..Seems absurd that the world is being punished because of this.